On 23/08/17 11:57, Brian wrote: >> If you do not care about security, you could generate a single 4 >> character bit block with my method and save typing. > > One online password checker (not that I understand how it works or even > trust it) gives > > IhaveaMemorablePasswordwhichIwillnotforget! > > 211.6 bits of entropy and rates it as "very strong" and "overkill". I'd > place any discomfort with having to type a long password low down on my > list password formation difficulties. Long, with some complexity and > memorable goes a long way to securing accounts on a computer or on the > web. Entropy is just another way of expressing probability. More specifically, entropy in bits is the logarithm in base 1/2 of the probability. It only makes sense to speak of probability (or equivalently, entropy) when there is a clearly defined probability distribution. The kind of passwords that you suggest are generated combining fragments of your knowledge in an ad-hoc way. Thus although we could *speak* of the probability distribution of your method, as applied by you, the actual probabilities are unknowable. The relevant probability distribution for password strength is the one that the attacker will assume. The online password checker has no way to know this, therefore the figures it gives are utter bullshit. Not only you should not trust it, you should ignore it completely. With my method, the probability distribution is well defined: Each character is chosen independently and uniformly distributed from a set of 64, thus it has 6 bits of entropy. >> No, I am not digressing. Not every password is equally important. How >> important is the password you use to post in a forum that you will not >> visit again? Is it as important as the password of your GNU PG private key? > > Developing good practice with password management is what is important. > If that weak password leads to a compromise of the account then it could > end up with a ruined reputation for someone, depending on what happens. > An ingrained habit of always creating a good password is a respectable > life skill. It is very ironic that you are now talking about the importance of strong passwords, while at the same time you advocate a non-well-defined method for password generation that probably gives weak passwords. As for the scenario where the password is compromised and that leads to somebody posting slander in one behalf, that can happen without any need for password cracking. Anybody can create a profile in a social network pretending to be you with the intention to taint your reputation. Hence that only your reputation as perceived by stupid people would suffer from such an attack. > I actually like your method; its making the outcome of it memorable > which I have difficulty with. I have no hesitation in saying the chances > of my memorising > > u19rX2JjTM5salGIYfrO1w > > is nil. I suppose I could put more effort into forming a mnemonic, but > I'd likely forget that too. On the other hand I could write it in my > notebook. That's probably the way to go. Then I leave my notebook at > home. I acknowledge that devising a mnemonic for the whole password in a single run is nor practical. Hence that my suggestion (which I already described in a previous message) is that if you need to memorize it instead of storing it in a password manager then you generate and memorize it by chunks of 4 characters. > "Probably" is probably good enough. The probability of either of the two > previous passwords being deduced from pure guessing is close to zero. It is not human guessing, but brute force attacks with specialized hardware what you should try to protect against. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
Attachment:
signature.asc
Description: OpenPGP digital signature